• No se han encontrado resultados

José Luis Arriaga Ornelas* Juan Jesús Velasco Orozco**

In document Cultura y sociedad en movimiento (página 58-86)

6.8.1 Defining Labels Observable by the Attacker

Let us first of all consider what the attacker who can observe the network is able to see. For every transition with a label l, he would be able to see the corresponding label lattfrom the set Latt below. Note that the third line of the grammar represents

the attacker’s observations of receiver messages2.

Latt = {(o, m)|o ∈ (S ∪ M) ∧ m ∈ M}

∪ {(o, m)|o ∈ (S ∪ M) ∧ m ∈ M} ∪ {(m, r, c)|m ∈ M ∧ r ∈ R ∧ c ∈ C}

We can now define a function strip: L→ Latt which extracts the information which

the attacker can observe from a single label directly. strip(s, (m−→m, r, c)) = (s, m) strip(m, (ε, r, c)) = (m, r, c) strip(τ, (o, (m−→m, r, c))) = (o, m) strip(τ, (o, (m−→m, r, c))) = (o, m) strip(τ, (m, (ε, r, c))) = (m, r, c)

As noted above, we want to make explicit the fact that the attacker can match up the sending and receiving events of one message by looking at the bits which comprise the encrypted message.

To do so, we proceed to define tags which specify which outgoing message corresponds to which incoming message. First, however, we need some more definitions.

2Whether the attacker actually observes the content of a receiver message depends on whether

the communication was end-to-end encrypted. Here we suppose that it was not and the content was visible.

6.8.2 Defining Traces

A complete trace −→l is a sequence of labels l1. . . lngenerated by the transition system

which also satisfies some conditions.

(σ0; ν0)−→ . . .l1 −→ (σln 0; ν0)

where (σ0, ν0) represents the empty system – no messages in mixes and no messages

in the network. Expressed formally, σ0= λm∈ M.∅ and ν0 =∅.

The conditions which traces have to satisfy are listed below (some of these have been mentioned previously).

1. All external receive labels have to have different content: −

l = (−→l

1(s, (−→m, r, c))−→l2(s0, (m−→0, r0, c0))−→l3)⇒ c 6= c0

2. All external receive labels cannot have the same mix more than once consecu- tively.

((s, (−→mmm0−m→0, r, c))−→l )⇒ m 6= m0

Omitting this restriction would not be faithful to the real network as our model would allow the possibility of messages going from a host to itself taking arbi- trary amounts of time to do so, whilst this does not happen in a real network. The model could be augmented with further rules which would model the fact that when messages go from the host to itself, they do so quickly, but this would obscure the focus of the work. Therefore we choose to forbid this. 3. All external receive labels have to come from different senders (i.e. each sender

sends just one message). −

l = (→−l1(s, (−→m, r, c))−→l2(s0, (m−→0, r0, c0))−→l3)⇒ s 6= s0

As we mentioned above, if we feel unhappy about this, we can just define a new network where each sender S is represented by several senders Si, such that Si

sends only the ith message that S sent in the original network.

4. The length of the route a message is to pass through cannot be more than the maximum route length. ((s, (−→m, r, c))∈−→l )⇒ |−→m| < rl

trace (−→l ) = (−→l1,−→l2,→−l3, s, s0, −→m,m−→0, r, r0, c, c0. ((−→l = (−→l1(s, (−→m, r, c))−→l2(s0, (−m→0, r0, c0))−→l3))⇒ c 6= c0)) ∧ (∀s, −→m, m, m0,−m→0, r, c. ((s, (−→mmm0−m→0, r, c))−→l ⇒ m 6= m0)) ∧ (∀−→l1,−→l2,−→l3, s, s0, −→m,−m→0, r, r0, c, c0. ((−→l =−→l1(s, (−→m, r, c))−→l2(s0, (−m→0, r0, c0))−→l3)⇒ s 6= s0)) ∧ (∀s, −→m, r, c.((s, (−→m, r, c))−→l ⇒ |−→m| < rl)) complete trace(−→l ) = (σ0; ν0) − → l −→ (σ0; ν0) ∧ trace(l)

We also define a function typ for extracting the type of a label as follows: typ(s, (−→m, r, c)) = ext-recv

typ((m, (ε, r, c))) = ext-send typ(τ, (o, (−→m, r, c))) = mix-recv typ(τ, (m, (−→m, r, c))) = mix-send

6.8.3 Attacker Observations

As mentioned before, we need to establish the correspondence between the send and receive labels which correspond to sending and receiving of one message. We illustrate this idea with an example. Suppose a message leaves mix m for mix m0, and gets delayed in the network for a long time. Then, (after mix m has fired several times), another message leaves mix m for mix m0 and arrives quickly at mix m0. Subsequently, the first message arrives at mix m0.

The following part of a real trace corresponds to this scenario: [. . . (τ, (m, ([m0], r1, c1)); (τ, (m, ([m0], r2, c2));

(τ, (m, [m0], r2, c2)); (τ, (m, [m0], r1, c1)) . . .]

Clearly, the sequence of attacker labels that the adversary would be observing is the following (this should be clear from the range of the function strip):

[. . . (m, m0); (m, m0); (m, m0); (m, m0) . . .]

Thus, it is not clear from this sequence of labels that the first message arrived after the second. On the other hand, the real attacker who watches the network can

deduce this fact easily – the bits comprising the two messages are different and he can compare the bits of messages coming out of mix m to the bits of messages coming into mix m0. The network does not transform messages in any way (if it does, the message will be dropped by the mix as it will not decrypt to anything sensible), so it is easy for the attacker to work out which message is which. This is, of course not a problem – it is the mixes which are supposed to introduce anonymity in the system, not the network.

We express this correspondence by means of a relation ˆR−→

l onN×N. If (i, i0) is in ˆR−→l,

this represents the fact that li is the sending of a message which was received with

the label li0. By li, of course, we mean the ith label in the sequence, starting from

zero. The situation in our example above could then be described by the attacker trace

[. . . (m, m0); (m, m0); (m, m0); (m, m0) . . .]

together with the relation {(0, 3), (1, 2)}.

In our model, there are three ways different labels can represent sending and receiving of messages. First, an ext-recv label will necessarily correspond to a mix-recv label (a message sent in by a user gets received by a mix), a mix-send label can correspond to a mix-recv label (as in the example above) or a mix-send label can correspond to an ext-send label (representing a message sent out by a mix to a user and the user receiving it).

Given a trace −→l , we represent the attacker observation of it as follows: 1. We construct the relation ˆR−→

l which establishes the correspondence between

sending and receiving events of messages.

2. We use the relation to include the information about the correspondence of the different events together with the events themselves.

3. We construct a new trace with the information hidden by encryption removed (using the function strip defined above), but with the correspondence included. There are a number of things we have to take care of. First of all, we would like to ensure that given a complete trace −→l , we can construct a relation ˆR−→

l “properly”.

First, let us make sure that messages in our system cannot be duplicated. Lemma 1 A trace of the system contains no label more than once. More formally,

Proof. By induction on the number of the mixes in the sequence of mixes, while observing that if that does not change then the type of events must be different. Now we can define the relation ˆR−→

l that we are looking for. First, we define a family

R−→

l of relations R−→l where each R−→l represents a correct but partial “matching up”

of send and receive labels of the trace−→l . We defineR−→

l as the set of all relations R

satisfying a predicate P−→l. P−→ l(R) = complete trace( − → l ) (∀(i, i0)∈ R ∃m, m0, −m, r, c, s. ((li= (τ, (m0, (m−→m, r, c))) ∧ li0 = (τ, (m0, (m−→m, r, c)))) ∨ (li = (s, (−→m, r, c)) ∧ li0 = (τ, (s, (−→m, r, c)))) ∨ (li = (τ, (m, (ε, r, c))) ∧ li0 = (m, (ε, r, c))))

Now we want to find the biggest relation in R−→

l. We can compare these relations

using the inclusion ordering. The biggest relation is the union of all others, as we can show that P satisfies the following property.

Lemma 2 For a trace −→l , the union of a set of relations satisfying P−→

l is itself a

relation which satisfies P−→l. More formally, P (SR∈R

l R).

Proof. Consider an arbitrary member of the union of the sets of relations, and check that it is consistent with P .

Now we need to make sure that no label is in the relation more than once, e.g. it is impossible that our model shows that some message was sent once and received twice (or, sent twice and received once!).

Lemma 3 Every label index occurring in a relation satisfying P appears at most once.

∀(i, i0)∈ R. 6 ∃i00.(i, i00)∈ R ∧ 6 ∃i000.(i000, i0)∈ R Proof. By case analysis of an arbitrary label li.

We can also show that a label occurs at least once in a relation satisfying P−→ l.

Lemma 4 Every label index occurring in a relation satisfying P appears at least once.

Proof. By case analysis of an arbitrary label li – in a complete trace there is always

a corresponding label which “causes” li or “is caused” by it.

Clearly, the largest relation satisfying P−→

l(R) is the union of the set of all the relations

satisfying P−→l(R), and by Lemma 2 it satisfies P−→l(R). Hence, we can find the largest relation ˆR−→l =SR∈R

l R which will contain all the label indices exactly once.

Now that we are sure that we can generate a “proper” ˆR−→

l, we are ready to use it

and obtain a trace representing the attacker’s observation.

6.8.4 Erasing the Trace

Now we are ready to define the erasure function. It takes a complete trace as input, and outputs an attacker trace tagged with a pair of integers according to the relation

ˆ R−→

l. The pair of integers are the sequence number of this label and the sequence

number of the label it is related to by the relation.

The erasure function erase−→l : L∗→ (Latt× N × N)∗ can now be defined as follows:

erase(−→l ) = map (λi.(strip(li))id→−l(i)) [0, . . . ,|−→l | − 1]

where id−→

l(i) is the unique pair (i, i1) such that (i, i1)∈ R−→l ∨ (i1, i)∈ R−→l and map

is the function which applies its first argument (which is itself a function) to each element of its second argument (which is a list).

Hence, in our example at the beginning of Section 6.8.3, the attacker observes: [. . . (m, m0)

(0,3); (m, m0)(1,2); (m, m0)(2,1); (m, m0)(3,0). . .]

Having obtained from −→l a sequence of integer tagged attacker labels which we call Obs−→l , we proceed with the definitions of anonymity.

In document Cultura y sociedad en movimiento (página 58-86)

Documento similar